This paper argues that the UK’s new critical third party rules are a solution in search of a problem.  A smarter, more focused regulatory approach is necessary to avoid overregulation, reduce redundant compliance burdens arising from overlapping jurisdictions, and prevent regulatory capture.

What are your thoughts on the UK financial regulators new rules? Let's discuss!

1/  Introduction

The UK's Financial Conduct Authority (“FCA”) has confirmed “ new rules aimed to bolster the resilience of technology and other third parties providing key services to financial firms”. 

While the intention to strengthen operational resilience is commendable, these rules risk imposing undue burdens on financial institutions and are a massive overreach to pull firms they may not currently regulate into their oversight. 

We would do well to more thoroughly engage the FCA, Bank of England (“BoE”), and the Prudential Regulatory Authority (“PRA”) when they open up proposed actions for comment from the industry.

2/  Smarter Regulation, Not More Regulation

Regulation serves as a vital tool for maintaining the integrity and stability of financial markets. However, the efficacy of regulation is not determined by its quantity. 

Overregulation will stifle innovation, increase operational costs, and create regulatory fatigue.

The regulators should focus on crafting smarter regulations that are proportionate to the risks involved and consider existing regulatory obligations. 

As the FCA itself notes, financial firms and financial market infrastructures are subject to existing outsourcing and operational resilience rules. 

In addition, most of these firms have a European presence which brings them into the European Union’s Digital Operational Resilience Act (“DORA”) sphere of influence.

3/  DORA

The European Union's Digital Operational Resilience Act (“DORA”), “aims at strengthening the IT security of financial entities such as banks, insurance companies and investment firms and making sure that the financial sector in Europe is able to stay resilient in the event of a severe operational disruption”. 

The introduction of the FCA's new rules creates a dual regulatory environment where firms must navigate both UK and EU requirements. This overlap leads to:

• Increased Compliance Costs: Firms must allocate more resources to understand and comply with both sets of regulations.
• Regulatory Confusion: Differences in definitions, scopes, and requirements can create uncertainty and hinder effective compliance.
• Competitive Disadvantages: Smaller firms may struggle with the additional burden, potentially reducing competition in the market.

The industry foresaw this overlap and the regulators sought to address it on page 32 here. 

Except they didn’t. 

They looked at it through the aperture of collaborating with international regulators instead of relief for those already subject to DORA.  

4/  Scopeless Risk

The UK financial regulator’s new rules grant themselves significant autonomy to determine what constitutes a critical third party, thus granting them the power to regulate said party. 

The good news - they lay out all the assessment criteria. 

The bad news, the assessment is entirely subjective. 

Perhaps the more eagle-eyed reader can find some numerical or statistical criteria for assessment in the document.  This author could not. 

In short, if the FCA, BoE, and/or PRA ‘assess’ your firm is a critical third party to the UK financial system, you now are subject to their oversight. This lack of precise assessment criteria presents several concerns:

• Vague Definition of "Critical Third Parties": Broad definitions can encompass a wide range of service providers, overwhelming both regulators and firms with compliance obligations.
• Arbitrary Enforcement: Without clear boundaries, the regulators may apply the new rules inconsistently, leading to uncertainty and unfair treatment.
• Expansion of Regulatory Orbit: The regulators may (read “will”) pull more entities, including those not posing significant systemic risks, into its regulatory purview

Moreover, such autonomy raises the possibility of regulatory powers being weaponized against specific sectors or companies.

In extreme cases, regulators might impose stringent requirements or penalties on entities they disfavor, whether due to political pressures or subjective judgments, undermining the principles of fairness and impartiality. 

And I could not find guidance on an appeal process for entities that felt they were unjustly categorized.

5/  Conclusion

While enhancing operational resilience is a legitimate goal, these new rules will inevitably have negative consequences for the financial industry.

Overregulation, especially when overlapping with existing EU regulations like DORA, imposes significant burdens without necessarily improving systemic stability.

The broad and undefined scope of the new rules grants excessive autonomy to regulators, risking arbitrary enforcement and potential misuse of power.

These rules should not have been published without much greater scrutiny from the private sector. 

I am surprised at the lack of pushback..